It’s not clear who is behind the hack yet, but a group claiming to be a Russian jihadist cyberterrorist group is claiming responsibility. BuzzFeed has spoken to a TalkTalk customer included in an apparent preliminary dump of customer data, and it appears to be legitimate — although the hacker’s stated political affiliation could well be false.

Here’s what customer data TalkTalk says may have been “accessed” — and presumably stolen:

Names

Addresss

Dates of birth

Email addresses

Telephone numbers

TalkTalk account information

Credit card details and/or bank details

The company has around 4 million UK customers.

The BBC is reporting that TalkTalk’s website was targeted by a DDoS attack — overwhelming servers with traffic. This on its own wouldn’t give the attacker access to internal data, however.

The TalkTalk website is still unavailable; as of Friday morning, this is what users attempting to access their account see:

TalkTalk

Here’s what the news has done to TalkTalk’s share price:

Google

TalkTalk has been hit with hack attacks before. In a statement issued in August 2015, it said its mobile sales site had been targeted by “a sophisticated and co-ordinated cyber attack, along with a number of other similar websites.” The company warned that customer details may have been compromised in that attack.

It’s not yet clear whether the hackers gained access to customers’ full credit card details, or if they were at least partially encrypted (if they weren’t, it’d be a major security issue). The company says that “not lal of the data was encrypted” — had it been, it would be very difficult for the attacker to make any sense of.

And even if the attacker doesn’t have access to credit card data, it still puts customers at risk of fraud and scams.

Large sets of stolen customer data like this are often sold on dark web forums, where scammers can cross-reference them with other stolen datasets and use the information to impersonate and defraud the victims.

Fraudsters have used data stolen in previous TalkTalk hacks to impersonate company employees and trick customers into handing over more details. One man was scammed out of £2,800 after someone claiming to be from TalkTalk’s fraud team called him and told him there was an issue with his account.

The BBC reports that TalkTalk is offering affected customers a year of free credit monitoring.

In a statement, TalkTalk said:

We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.